The Attack That Cost a Hospital $67 Million

In May 2024, Ascension Healthcare disclosed a ransomware attack that disrupted operations across 140 hospitals. Ambulances were diverted. Clinicians reverted to paper charts. The financial impact reportedly reached $1.8 billion in total losses for the fiscal year, with the cyber incident contributing an estimated $67 million in direct recovery costs. If you think your organization is too small or too prepared for something like this, I've got bad news: the threat actors disagree.

This post walks you through ransomware recovery steps that actually work — not theoretical frameworks, but the specific actions I've seen separate organizations that recover in days from those that bleed for months. Whether you're a CISO, IT director, or business owner, these steps apply right now in 2025's threat landscape.

Ransomware isn't slowing down. The FBI's Internet Crime Complaint Center (IC3) reported ransomware as one of the most pervasive threats in its 2023 annual report, with over 2,825 complaints from critical infrastructure sectors alone. The 2025 numbers will almost certainly be worse. Your recovery plan can't wait.

Step 1: Isolate the Infection — Speed Beats Perfection

The first 30 minutes after ransomware detonates determine whether you lose 10 servers or 10,000. Every second a compromised machine stays on the network, the encryption spreads laterally.

What to Do Immediately

  • Disconnect affected systems from the network. Pull Ethernet cables. Disable Wi-Fi adapters. Don't power off — you may destroy forensic evidence in volatile memory.
  • Isolate network segments. If your architecture supports it, shut down switch ports or VLAN connections to contain the blast radius.
  • Disable remote access. Kill VPN concentrators, RDP gateways, and any remote desktop services immediately. Threat actors often maintain persistence through these channels.
  • Preserve at least one encrypted machine. Forensic investigators and law enforcement need an untouched sample to analyze the ransomware variant, identify the threat actor, and check for available decryptors.

I've seen organizations make the mistake of immediately reimaging everything. That feels productive. It destroys evidence and guarantees you won't understand how the attacker got in — which means they'll get in again.

Step 2: Activate Your Incident Response Team

If you don't have a documented incident response plan, you're already behind. But even without one, here's who needs to be in the room within the first hour:

  • IT/Security leadership — to coordinate technical containment and recovery.
  • Legal counsel — to advise on breach notification obligations, regulatory exposure, and privilege considerations.
  • Executive leadership — to authorize spending, approve communications, and make the pay-or-don't-pay decision.
  • External IR firm — if you have a retainer (and you should), activate it now. If you don't, CISA's StopRansomware.gov resource hub can help you find vetted responders.
  • Your cyber insurance carrier — notify them immediately. Many policies have strict notification windows.

Report It to Law Enforcement

File a report with the FBI IC3. I know some organizations hesitate, fearing publicity. Here's the reality: the FBI has helped recover millions in ransom payments and can connect you with decryption keys from disrupted threat actor infrastructure. In 2023, the FBI's Operation Cronos action against LockBit recovered hundreds of decryption keys. Reporting costs you nothing and may save everything.

Step 3: Determine the Scope and Variant

Before you can recover, you need to understand exactly what happened. This is where forensics earns its keep.

Key Questions to Answer

  • Which ransomware variant hit you? (Check ransom notes, file extensions, and upload samples to ID Ransomware.)
  • What was the initial access vector? Phishing email? Exploited VPN vulnerability? Stolen credentials from an infostealer?
  • How far did lateral movement extend? Which systems, domains, and backup infrastructure were touched?
  • Did the threat actor exfiltrate data before encrypting? Double extortion is now the norm, not the exception.

The Verizon 2024 Data Breach Investigations Report found that stolen credentials and phishing remain the top initial access methods for ransomware attacks. Understanding your specific vector is critical — it dictates what you patch, what you reset, and what you rebuild.

Step 4: Assess Your Backups — The Make-or-Break Moment

This is where ransomware recovery steps succeed or collapse. Your backups are either your salvation or an expensive illusion.

What Good Looks Like

  • Offline or immutable backups that the threat actor couldn't reach. Air-gapped tapes, immutable cloud snapshots, or write-once storage.
  • Tested restores. A backup you've never tested is a hypothesis, not a recovery plan.
  • Backup coverage that includes not just data but system state, Active Directory, application configs, and encryption keys/certificates.

What I Usually Find

In my experience, about half the organizations hit by ransomware discover their backups are compromised, incomplete, or untested. Modern threat actors specifically target backup infrastructure. Groups like BlackCat/ALPHV were known to delete Volume Shadow Copies and target Veeam backup servers before detonating the ransomware payload.

If your backups are intact, skip to Step 5. If they're compromised, you face a harder decision — and the clock is ticking.

Should You Pay the Ransom?

Let me be direct: the FBI and CISA advise against paying. I generally agree. Paying funds criminal operations, doesn't guarantee data recovery, and marks you as a future target. The Verizon DBIR data shows that organizations paying ransoms recover only about 65% of their data on average.

But I've also been in rooms where a hospital can't treat patients, where a manufacturer is losing $500,000 per day, where there are no backups. The decision is yours, and it should involve legal counsel, your insurance carrier, and law enforcement input.

What you should never do: pay without consulting professionals first. Some threat actor groups are sanctioned by OFAC, and paying them creates legal liability for your organization.

Step 5: Eradicate the Threat Before Restoring

Here's where organizations make the second most common mistake. They restore from backups onto a network the attacker still controls.

Before You Restore Anything

  • Reset every credential. Every single one. Domain admin, service accounts, local admin, KRBTGT (twice, with a 12-hour gap). If the attacker has a Golden Ticket, you're reinfected in hours.
  • Patch the initial access vector. If they got in through a Fortinet VPN vulnerability, that patch goes in before the network comes back.
  • Rebuild domain controllers from clean media. Don't restore compromised DCs from backup — you may restore the attacker's persistence mechanisms with them.
  • Deploy endpoint detection and response (EDR) on every system before reconnecting it. If you didn't have EDR before, this is the non-negotiable investment that comes out of the incident.
  • Enforce multi-factor authentication across every remote access point and privileged account. Credential theft is how most ransomware operators move laterally, and MFA is the single most effective control against it.

Step 6: Restore Operations in Priority Order

Don't try to bring everything back at once. Prioritize based on business impact.

A Practical Restoration Sequence

  • Tier 1: Identity infrastructure (Active Directory, DNS, DHCP), then core network services.
  • Tier 2: Business-critical applications — ERP, email, patient records, payment processing.
  • Tier 3: User workstations, secondary applications, and non-critical systems.

Validate each restored system before connecting it to the production network. Run integrity checks. Compare file hashes. Monitor for anomalous outbound traffic that could indicate lingering command-and-control beacons.

Step 7: Communicate — Internally and Externally

Silence breeds panic. Your employees, customers, regulators, and partners all need information — but different information at different times.

  • Employees: Tell them what happened in plain language. Tell them what's expected of them (don't click anything, report anything suspicious, use alternate communication channels).
  • Customers and partners: If data was exfiltrated, you likely have regulatory notification obligations. Work with legal. Be honest but precise.
  • Regulators: HIPAA requires notification within 60 days for breaches affecting 500+ individuals. State breach notification laws vary widely. The SEC requires material cybersecurity incident disclosure within four business days for public companies.

Poor communication after the 2024 Change Healthcare ransomware attack compounded reputational damage and drew congressional scrutiny. Transparency isn't optional anymore.

Step 8: Conduct a Ruthless Post-Incident Review

Every ransomware incident I've worked reveals at least three things the organization could have done differently. The post-incident review is where you capture those lessons — or guarantee you'll repeat them.

What to Document

  • Timeline of the attack — from initial access to detection to containment to recovery.
  • What worked in your response and what didn't.
  • Root cause analysis: what control failure allowed the initial compromise?
  • Specific remediation actions with owners and deadlines.

This isn't a blame exercise. It's a construction project. You're building the defenses that prevent the next attack.

The Recovery Step Most Organizations Skip: Training Their People

Here's what I keep coming back to after years of incident response work. The Verizon 2024 DBIR confirms that the human element is involved in roughly 68% of breaches. Phishing, social engineering, credential theft — these are people problems, not just technology problems.

You can have the best backups, the best EDR, and the best incident response plan on paper. If an employee clicks a phishing link and enters their credentials on a spoofed login page, the ransomware recovery steps I just described become your Tuesday.

This is why ongoing cybersecurity awareness training for your entire organization isn't optional — it's a core recovery control. Trained employees catch phishing emails before they become incidents. They report suspicious activity faster. They don't reuse passwords across systems.

And specifically for the phishing vector — which remains the number one initial access method for ransomware — dedicated phishing awareness training with realistic phishing simulations measurably reduces click rates and builds the human firewall that technology alone can't provide.

What Are Ransomware Recovery Steps?

Ransomware recovery steps are the structured actions an organization takes after a ransomware attack to contain the damage, eradicate the threat, restore systems and data, and return to normal operations. The core steps include: isolating infected systems, activating incident response, assessing the ransomware variant and scope, validating backup integrity, eradicating attacker persistence, restoring operations in priority order, communicating with stakeholders, and conducting a post-incident review. Effective recovery depends on preparation — especially tested backups, incident response plans, and a zero trust security architecture that limits lateral movement.

Your Ransomware Recovery Starts Before the Attack

Every step I've outlined above works better — and faster — when you've prepared in advance. Test your backups quarterly. Run tabletop exercises. Implement multi-factor authentication everywhere. Adopt zero trust principles so a single compromised endpoint doesn't hand the attacker your entire domain.

And train your people. Not once a year with a compliance checkbox. Continuously, with realistic scenarios that mirror the social engineering tactics threat actors actually use in 2025.

The organizations that recover from ransomware in days instead of months aren't luckier. They're more prepared. Your move.